Costa Tsaousis (ktsaou)
07fde44784
fix for EXPLAIN mode
2015-01-18 21:38:38 +02:00
Costa Tsaousis (ktsaou)
64003397ba
fixed recursion at exit
2015-01-17 18:26:35 +02:00
Costa Tsaousis (ktsaou)
dad17607a0
firehol may not restore a IPv6 firewall at exit, if it was running only in IPv6 mode; made it properly handle Control-C by trapping INT
2015-01-17 17:41:52 +02:00
Costa Tsaousis (ktsaou)
dc65bd4b97
fix for issue #43
2015-01-10 21:50:20 +02:00
Costa Tsaousis (ktsaou)
8e6af3ae24
system-wide defaults file /etc/firehol/firehol-defaults.conf; added option to make start behave like restore if the config files are not changed; restoration of last firewall now takes into account all files in /etc/firehol and /etc/firehol/services and also the command line arguments that may have been passed to firehol.conf; stop does not save the running firewall anymore (it could lead to an endless loop of activating the wrong firewall again and again); added option "nofast" to command line args to quickly try to activate a firewall without fast activation; fast activation is now enabled by default; silent drop of orphan TCP ACK,FIN is enabled by default; various other minor fixes
2015-01-06 19:53:45 +02:00
Costa Tsaousis (ktsaou)
7417f01bcc
Merge branch 'master' of github.com:ktsaou/firehol
2015-01-04 02:25:18 +02:00
box@home root
dfdc5819cc
accounting warning moved on first use of an accounting rule.
2015-01-04 02:24:42 +02:00
Phil Whineray
98855eaa30
Fix chain-exists logic in: with recent/knock/limit
...
Typo from switching to an associative array. We need to create
the chain first time through, when the value is empty.
2015-01-03 13:44:27 +00:00
Costa Tsaousis (ktsaou)
c9ed9c746f
added support for accounting using NFACCT, to use it just add 'accounting [name]' to any statement (even interfaces, NAT, server, client, etc), where [name] is a name to be given to the accounting object, then when the firewall is running use '/usr/sbin/nfacct list' to get the counters; converted unique chain management from files to associative bash arrays; added 'local' to a large number of rules that where missing; fixed error handling of the restore feature; made 'debug' mode aware of the ipv4 and ipv6
2015-01-03 07:45:19 +02:00
Costa Tsaousis (ktsaou)
5451641021
better support for restoring postprocessed commands - any kind of command, not just kernel modules
2014-12-30 20:42:58 +02:00
Costa Tsaousis (ktsaou)
b10a8622cb
Now it always saves the activated firewall to /var/spool/firehol and can quickly restore it at boot with the restore argument. Also, when calling stop is saves the firewall again, with their packet and bytes counters, so that when restored it continues where it left. So at boot it should be called with "restore" and at shutdown it should be called with "stop"
2014-12-19 23:46:53 +02:00
Costa Tsaousis (ktsaou)
a4dba2b212
fixed physin/physout to specify new iptables options --physdev-is-bridged in routers, --physdev-is-in at the input of interfaces, --physdev-is-out at the output of interfaces
2014-11-19 01:50:47 +02:00
Phil Whineray
521e8c142d
Delete activation rules by spec not number
...
Fixes #41
The assumption that the rules added to allow established connections
during activation will always be first is wrong for configs with
iptables -I statements.
2014-11-06 22:36:08 +00:00
Phil Whineray
09748049ee
Prevent all IPv6 actions after initial disable
2014-10-18 08:15:47 +01:00
Phil Whineray
ca07e978f8
Detect non-IPv6 hosts
2014-10-18 08:04:12 +01:00
Phil Whineray
6dd351f5cc
Fix "accept with limit"
...
Chain names were created too long and only the first of IPv4 or IPv6
2014-10-15 17:11:03 +01:00
Phil Whineray
a6a5e55c41
Create functional helpme output
...
Includes pointers to the IPv6 upgrade documentation
Fixes issue #35
2014-10-04 13:38:34 +01:00
Phil Whineray
5fecbb9591
Remove redundant firehol_wget and wget_cmd helpers
...
They were used by ecn_shame only, which was removed some time back since
the list is no longer available.
Thanks to Jerome Benoit
2014-10-04 10:54:32 +01:00
Phil Whineray
1f0db36baf
Use mktemp for temporary directories during RPC
...
Slightly safer than random numbers because it can never conflict
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
da7b96e7ab
Don't delete and recreate the temporary directory
...
mktemp already ensured it was unique as part of creating it
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
87f8827e75
Treat mktemp like other required commands
...
Add it to configure script and use the which_cmd to detect at runtime.
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
8b8e5c9761
Silence module detection warning when not loading
...
The warning says that we will always load the modules, even though we
will honour the variable which says never to do so.
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
e14e118532
Update copyright strings
...
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
e8c70871c5
Do not fix source ports for DHCPv6
...
Some servers do not use them, and the RFC allows this.
http://lists.firehol.org/pipermail/firehol-support/2014-July/002824.html
http://www.ietf.org/rfc/rfc3315.txt
2014-07-27 12:07:59 +01:00
Phil Whineray
edd7dace10
Explain that ICMPv6 ND/RD packets are untracked
2014-07-27 11:25:02 +01:00
Phil Whineray
f741b4b422
Ensure dst4 and dst6 work in interface
...
src4 and src6 are already OK
2014-06-07 17:26:31 +01:00
Costa Tsaousis (ktsaou)
e323bd501f
reworked tproxy parameters parsing for issue #25
2014-03-25 23:42:13 +02:00
Costa Tsaousis (ktsaou)
ef153a80d0
tproxy support. beta. may not work. fixed issue #25
2014-03-25 23:13:20 +02:00
Costa Tsaousis (ktsaou)
c732df28a6
added warning if MARK and CONNMARK are used together, for issue #23
2014-03-14 01:31:44 +02:00
Costa Tsaousis (ktsaou)
46955f9eb4
added support for failed lines detection for issue #22 , improved connmark for issue #23
2014-03-14 01:13:28 +02:00
Costa Tsaousis (ktsaou)
83a084e9c1
another connmark fix for issue #23
2014-03-13 03:08:34 +02:00
Costa Tsaousis (ktsaou)
e51a46a140
another connmark fix for issue #23
2014-03-13 02:35:12 +02:00
Costa Tsaousis (ktsaou)
54cfeaeaae
connmark fix for issue #23
2014-03-13 01:46:50 +02:00
Costa Tsaousis (ktsaou)
fe40dbc5bc
fixes issues #22 and #23
2014-03-13 00:20:00 +02:00
Phil Whineray
750da174ca
Fix IPv4-only save/restore and fastactivation
...
These were still trying to run, despite the commands not being available
2014-02-22 11:54:39 +00:00
Phil Whineray
40fde76a78
Fix firehol save
...
Was trying to save to temporary location, not the specified one.
Error introduced in df50d6cb29b9a716a40d99918de46cb0e899e42a.
2014-02-22 08:44:26 +00:00
Phil Whineray
95b3e66836
Use IPv4 only unless config version is set as 6
2014-02-09 18:11:39 +00:00
Phil Whineray
bb19f5500a
Fix line numbering for new commands
2014-02-03 22:58:10 +00:00
Phil Whineray
097ae80b91
Apply ipv4/ipv6 to whole group
2014-02-03 22:56:56 +00:00
Phil Whineray
43c27203eb
Add helpers for interface and router
...
interface4, interface6, interface46
router4, router6, router46
2013-12-01 19:57:57 +00:00
Phil Whineray
6a25798e2b
Added DHCPv6 service
2013-12-01 17:56:34 +00:00
Phil Whineray
90f158887c
Update line-numbering to work with any awk
2013-12-01 17:16:41 +00:00
Phil Whineray
25d693dc86
Enable fast activation for IPv6
2013-12-01 14:59:44 +00:00
Phil Whineray
35c2a0443a
Finalise setup of internal IP variables
...
We IPv4 we look for for files named:
MULTICAST_IPV4 but will use MULTICAST_IPS if it is all their is
PRIVATE_IPV4 but will use PRIVATE_IPS if it is all their is
RESERVED_IPV4 but will use RESERVED_IPS if it is all their is
For IPv6 we look for files named:
MULTICAST_IPV6
RESERVED_IPV6
PRIVATE_IPV6
Within a configuration the variables can be used as:
router src4 not "$PRIVATE_IPV4" src6 not "$PRIVATE_IPV6"
or using the equivalent 'special variable' which expands according to need:
router src not "$PRIVATE_IPS"
2013-11-24 11:09:46 +00:00
Phil Whineray
a7a42b33a9
Do not lose negative src/dst when in both mode
2013-11-23 10:44:16 +00:00
Phil Whineray
8386193c90
Force ping rules to use correct versions of icmp
2013-11-23 09:58:19 +00:00
Phil Whineray
d69b02df24
Evaluate ip lists at time of extraction
2013-11-23 09:00:59 +00:00
Phil Whineray
44bcff7577
Allow multiple functions to be used at once
2013-11-23 09:00:59 +00:00
Phil Whineray
d65d0dd256
Allow IPv4 and IPv6 in one src/dst using functions
...
The same function will be evaluated in both ipv4 and ipv6 context. It
should be defined to return appropriate values at the appropriate time.
2013-11-23 09:00:58 +00:00
Phil Whineray
c259ad8e7c
Work with only IPv4 or IPv6 where necessary
...
Disables the other if the commands are not available or do now work.
2013-11-23 08:48:37 +00:00